Common Business Logic Flaws Compromising Application Security

There is a class of complex vulnerabilities that are difficult to test for, are exploited in clever, stealthy attacks and can cost enterprises millions of dollars in losses. Think zero-day bugs are being described? Think again.

Business logic attacks are the topic of the description above, as well as a new whitepaper from Web application security vendor NT OBJECTives. In the report, the company details 10 of the most common business logic attack vectors and offers advice to developers on closing the door on abuses.

"Business logic is the intended behavior of the application," explained Dan Kuykendall, co-CEO and CTO of NT OBJECTives. "It’s the functionality that governs the core of what the application does, for example, which users are allowed to see what, how much users are charged for various items, etc. Business logic attacks are things you can do to exploit the logic and cheat the application…(they) are hard to test for because they require both an understanding of the application and of security. In many cases, QA teams know the business logic, but they aren’t security experts and haven’t been trained on the clever attack techniques."

The common most business logic flaws include: authentication flags and privilege escalations; critical parameter manipulation and access to unauthorized information/content; developer’s cookie tampering and business process/logic bypass; LDAP parameter identification and critical infrastructure access; and business constraint exploitation. Other logic flaws on the company's list include business flow bypass; exploiting clients side business routines embedded in JavaScript, Flash or Silverlight; identity or profile extraction; file or unauthorized URL access & business information extraction and Denial of Services (DoS) with business logic.

The cost of these types of flaws can be significant. Just recently, two brothers pleaded guilty to federal charges involving their use of business logic attacks against Nordstrom's e-commerce system to defraud the company out of $1.4 million. According to the U.S. Attorney's office, the two schemed to defraud the store after being barred from placing orders through Nordstrom.com. As part of their plot, the brothers – who were members FatWallet.com, an online coupon and shopping site that offers cash back incentives for purchases – made purchases through Nordstrom's online ordering system knowing they would be blocked. However, because of a flaw they exploited, Nordstrom would compensate FatWallet for the order and the brothers would receive cash back credit.

Because exploiting these flaws means the attacker is abusing the natural functionality of the app, business logic flaws will always need to be tested for manually.

"The fact that it is complex is the reason it’s tough to automate," Kuykendall told SecurityWeek. "The complexity and lack of repeatable pattern is the problem. These vulnerabilities are different in every situation and require human thought, deductive reasoning and clever thought to successfully attack."

"The good news is that experienced pen testers understand these vulnerabilities and know what to look for," he continued. "The automated scanners can automate the repeatable aspects that can be more mundane and error prone for human testers. Then the complex aspects that require human intervention, understanding of the business and an ability to cheat the application logic can be left to the penetration testers."